DATAPRIVACY POLICY

PLATFORM DATAPRIVACY POLICY KYC SPIDER AG

I. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws and regulations that determine the purposes and means of processing personal data is:

KYC Spider AGGubelstrasse 116300 Zug

The data protection officer / data protection coordinator of the controller can be contacted at:

II. General Information regarding the Processing of Personal Data

1. Scope of processing of personal data

We only process personal data if this is necessary to provide a functional website as well as our contents and services. The processing of our users' personal data is normally only carried out with your prior consent, except those cases where prior consent cannot be obtained for factual reasons and the processing of personal data is permitted by law.

2. Legal basis for processing of personal data

Ifthe data subject has given his/her consentto the processing of personal data, art. 6 (1) (a) EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing.

If the processing of personal data is necessary for theperformance of a contract to which the data subject is party, art. 6 (1) (b) GDPR serves as the legal basis for the processing. This also applies to processing operations that are necessary to carry out pre-contractual measures.

If the processing of personal data is necessaryfor compliance with legal obligationto which our company is subject, art. 6 (1) (c) GDPR serves as the legal basis for the processing.

If the processing of personal data is necessary to protect thevital interests of the data subjector another natural person, article 6 (1) (d) GDPR serves as the legal basis for the processing.

If the processing of personal data is necessary for the purposes of thelegitimate interests pursued by our company or a third partyand where such interests are not overridden by the interests, fundamental rights and freedoms of the data subject which require protection of personal data, art. 6 (1) (f) GDPR serves as the legal basis for the processing.

3. The erasure and storage of personal data

The personal data of the data subject will be erased or blocked as soon as it is no longer necessary in relation of the purpose of storage. Furthermore, personal data may be stored if this has been required by regulations, laws or other provisions to which our company is subject. The personal data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

III. General information about our Platform and this Privacy Policy

1. KYC Toolbox

If using our platform, you will have access to our toolbox, which provides you a complete solution for the implementation of your KYC Compliance process. You will have access to different tools for example:

Check

Verify Risks

Enhanced Due Diligence Report

Onboarding Chatbot

Storage of the KYC Files

Etc.

You find a detailed description of our KYC Toolbox in the [Factsheet].

2. KYC Expert

In case you would like us to perform the KYC process of your customers, suppliers, etc., we will use our toolbox and all necessary Tools for you.

You find a detailed description of our KYC Expert offer in the [Factsheet].

3. Difference between Customer Data and Data of Entity to be checked

A distinction is made in this privacy policy between two different types of data:

Customer Data (hereinafter also named as Data of KYC-Customer)It is about your data as our (potential) client or user.

Data of the Entity to be checked (hereinafter also named as Data of Customers of KYC-Customers)These are the data about the persons or organisation which you as our customer enter and check on our platform. You are solely responsible for the lawful data processing made in this context, - see below, point V.

IV. First Access/Registration (via link on the website)

1. Description and scope of data processing

If you are interested to create a test account, buy a subscription or ask for an offer, you will be redirected to our platform for registration. In order to open a test account, buy a subscription or ask for an offer, the following data (requested and entered by you) will be collected and stored:

Organization (company and address)

Salutation

Family name and first name

E-Mail-address

Telephone number

Subscription

Further data requested in the form or chatbot

In the course of the registration process, the user's consent to the processing of the data is obtained. Furthermore, it will be referred to this privacy policy and our terms and conditions.

Regarding the sharing on of data with third parties, please see item VI below.

2. Legal basis for processing

The legal basis for the processing of data is art. 6 (1) (a) GDPR if the user has given his consent.

If registration serves to perform a contract to which the user is party or to implement pre-contractual measures, the additional legal basis for the processing of the data is art. 6 (1) (b) GDPR.

3. Purpose of processing

The registration of the user is necessary for the performance of a contract between KYC and the user or for the implementation of pre-contractual measures within the scope of the services rendered by KYC.

4. Period of storage

The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected.

Consequently, the personal data collected during the registration process to perform a contract or to carry out pre-contractual measures are erased as soon as it is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data in order to meet contractual or legal obligations.

5. Possibility of objection and erasure

As a user you have the possibility to cancel the registration and to change the data stored about you at any time.

If the personal data is necessary to perform a contract or to carry out pre-contractual measures, an early erasure of the data is only possible if neither contractual nor legal obligations prevent a deletion.

V. Usage of the Platform/Toolbox

1. Description and scope of data processing

Data of KYC-Customer:In the course of the usage of the platform, the above-mentioned data in item IV (data of KYC-customers) will be stored.

Regarding the transmission of data to third parties, please see item VI below.

Data of Entity to be checked (Data of Customers of KYC-Customers):Furthermore, the results (reports) with regard to the persons/organisations checked may be stored. In the course of the usage of the individual Tools, the following data, among others, will be collected:

Organization

Family name and first name

Date of birth

Country of origin

Country of residence

Other data requested in the form or chatbot and entered by you/the person to be checked

Regarding the transmission of data with third parties, please see item VI below.

2. Legal basis for processing

Data of KYC-Customer:The legal basis for the processing of data is art. 6 (1) (a) GDPR if the user has given his consent.

If registration serves to perform a contract to which the user is party or to implement pre-contractual measures, the additional legal basis for the processing of the data is art. 6 (1) (b) GDPR.

Data of Entity to be checked (Data of Customers of KYC-Customers):You are solely responsible for the transmission of the data to us resp. entering the data and checking of persons/organisations as well as for lawfulness thereof and the compliance with all corresponding data protection transparency obligations. KYC Spider AG assumes no liability in this regard. In the event of any violation of this provision, you will indemnify KYC Spider AG against any third-party claims (in particular those of the data subject).

3. Purpose of processing

The Platform is an instrument for checking a person or organization on relevant information regarding money laundering. For this purpose, KYC provides the KYC Records [KYC Records Description]. With the access to / search in KYC Records, the extended identification obligations of the financial intermediary according to the Federal Act on Combating Money Laundering and Terrorist Financing (AMLA as of 1st January 2016) are fulfilled. The financial intermediary detects client relationships with sanctioned persons/organisations (i.e. data pursuant to Art. 22a AMLA) and PEP background (i.e. qualification characteristics pursuant to art. 2a para. 2 AMLA). In addition, KYC Records shows references to further detectable and clarification-relevant information. Finally, KYC Records enable traceable documentation of the corresponding clarification.

4. Period of storage

Data of KYC-Customer:The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected.

Consequently, the personal data collected are needed to perform a contract or to carry out pre-contractual measures are erased as soon as it is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data in order to meet contractual or legal obligations.

Data of Entity to be checked (Data of Customers of KYC-Customers):The data of the entity to be checked will be deleted after four weeks. You (customer) are responsible to download all documents and data and store them for possible audit purposes.

However, we offer an option to store every document and data in our Toolbox (Tool "Document Store"). You are welcome to contact us in this matter.

5. Possibility of objection and erasure

Data of KYC-Customer:As a user you have the possibility to cancel the registration and to change the data stored about you at any time.

If the personal data is necessary to perform a contract or to carry out pre-contractual measures, an early erasure of the data is only possible if neither contractual nor legal obligations prevent a deletion.

Data of Entity to be checked (Data of Customers of KYC-Customers):The entity to be checked has the possibility to ask for access, erasure, changing etc. of the data stored in our KYC Records at any time. In this regard we refer to our "KYC Records Policy" or the below mentioned in item VII.

VI. Cooperation with Third Parties

For the operation of our platform we use, among others, the following third-party providers:

Hubspot

1. Scope of processing of personal data

We use Hubspot for our Customer Relationship Management System (CRM) and Inbound Marketing System. For this purpose, the following data (among others) of KYC-customers will be shared and stored on Hubspot:

The processing and storage of users' personal data in the CRM, hosted by the third-party provider Hubspot, is necessary, among other things, to perform the contract between KYC and the user or to carry out pre-contractual measures within the scope of services of KYC. The creation of internal overviews and evaluations of subscriptions and the usage of our tools helps us to continuously improve our services. This is also our legitimate interest in data processing.

This data will only be used for these purposes and will not be transmitted to other third parties.

4. Period of storage

Data of KYC-Customer:The data will be deleted as soon as it is no longer needed for our recording purposes.

Consequently, the personal data collected during the registration process to perform a contract or to carry out pre-contractual measures are erased as soon as it is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data of the contractual partner in order to meet contractual or legal obligations.

Data of Entity to be checked (Data of Customers of KYC-Customers):The data of a person/organization to be checked are not stored in the CRM (hosted by HubSpot).

5. Possibility of objection and erasure

Data of KYC-Customer:As a user you have the possibility to cancel the registration and to change the data stored about you at any time.

If the personal data is necessary to perform a contract or to carry out pre-contractual measures, an early erasure of the data is only possible if neither contractual nor legal obligations prevent a deletion.

Data of Entity to be checked (Data of Customers of KYC-Customers):The data of a person/organization to be checked are not stored in the CRM (hosted by HubSpot).

BitRank

1. Scope of processing of personal data

BitRank is a service provider for transaction screenings. We are using the services of BitRank for the verification of a Blockchain Address to receive a risk rating on this specific Blockchain Crypto Property (BCP).

The processing and storage of user data is necessary, among other things, for the fulfilment of the contract between KYC and the user or for the provision of the KYC services (verification of blockchain addresses). This is also our legitimate interest in data processing.

This data will only be used for these purposes and will not be transmitted to other third parties.

4. Period of storage

Data of Entity to be checked (Data of Customers of KYC-Customers):The data of the entity to be checked will be deleted after four weeks. You (customer) are responsible to download all documents and data and store them for possible audit purposes.

5. Possibility of objection and erasure

Data of Entity to be checked (Data of Customers of KYC-Customers):The entity to be checked has the possibility to ask for access, erasure, changing etc. of the data stored in our KYC Records at any time. In this regard we refer to our "KYC Records Policy" or the below mentioned in item VII.

Eurospider Information Technology AG

1. Scope of processing of personal data

Eurospider Information Technology AG is a computer science company which develops and offers software as well as other products. Eurospider supports KYC, among others, in IT matters as well as develops and operates the platforms and software and prepares the necessary data for the KYC Records.

The processing and storage of users' personal data in the Platform, hosted by the third-party provider Eurospider, is necessary, among other things, to perform the contract between KYC and the user or to carry out pre-contractual measures within the scope of services of KYC. This is also our legitimate interest in data processing.

This data will only be used for these purposes and will not be transmitted to other third parties.

4. Period of storage

Data of KYC-Customer:The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected.

Consequently, the personal data collected which are needed to perform a contract or to carry out pre-contractual measures are erased as soon as it is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data in order to meet contractual or legal obligations.

Data of Entity to be checked (Data of Customers of KYC-Customers):The data of the entity to be checked will be deleted after four weeks. You (customer) are responsible to download all documents and data and store them for possible audit purposes.

However, we offer an option to store every document and data in our Toolbox (Tool "Document Store"). You are welcome to contact us in this matter.

5. Possibility of objection and erasure

Data of KYC-Customer:As a user you have the possibility to cancel the registration and to change the data stored about you at any time.

If the personal data is necessary to perform a contract or to carry out pre-contractual measures, an early erasure of the data is only possible if neither contractual nor legal obligations prevent a deletion.

Data of Entity to be checked (Data of Customers of KYC-Customers):The entity to be checked has the possibility to ask for access, erasure, changing etc. of the data stored in our KYC Records at any time. In this regard we refer to our "KYC Records Policy" or the below mentioned in item VII.

Information regarding the third party provider Eurospider Information Technology AG:

Intrum AG

1. Scope of processing of personal data

Intrum AG is a company that offers services in the sector of Credit Management Services. Among other things, Intrum offers an Identity Platform in cooperation with IDnow, which covers the identification requirements for an onboarding of a customer. The cooperation consists in offering the video identification process via Intrum.

The processing and storage of user data is necessary, among other things, for the fulfilment of the contract between KYC and the user or for the provision of the KYC services (Video Identification). This is also our legitimate interest in data processing.

4. Period of storage

Data of KYC-Customer:The data will be erased as soon as it is no longer necessary to achieve the purpose for which it was collected.

Consequently, the personal data collected which are needed to perform a contract or to carry out pre-contractual measures are erased as soon as it is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data in order to meet contractual or legal obligations.

Data of Entity to be checked (Data of Customers of KYC-Customers):The data of the entity to be checked will be deleted after four weeks. You (customer) are responsible to download all documents and data and store them for possible audit purposes.

However, we offer an option to store every document and data in our Toolbox (Tool "Document Store"). You are welcome to contact us in this matter.

5. Possibility of objection and erasure

Data of KYC-Customer:As a user you have the possibility to cancel the registration and to change the data stored about you at any time.

If the personal data is necessary to perform a contract or to carry out pre-contractual measures, an early erasure of the data is only possible if neither contractual nor legal obligations prevent a deletion.

Data of Entity to be checked (Data of Customers of KYC-Customers):The entity to be checked has the possibility to ask for access, erasure, changing etc. of the data stored in our KYC Records at any time. In this regard we refer to our "KYC Records Policy" or the below mentioned in item VII.

VII. Rights of the data subject

If personal data concerning you are processed, you are a data subject within the meaning of the GDPR and you have the following rights:

1. Right of access

You can ask the controller to confirm whether personal data concerning you is being processed by us.

Is that the case, you can request the following information from the controller:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipient to whom the personal data has been or will be disclosed;

the envisaged period for which the personal data will be stored, or, if specific information on this is not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning you or to object to such processing;

the right to lodge a complaint with a supervisory authority;

where the personal data is not collected from you, any available information as to their source;

the existence of automated decision-making, including profiling, in accordance with art. 22 (1) and (4) GDPR and - at least in those cases - meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to art. 46 GDPR relating to the transfer.

2. Right to rectification

You have the right to obtain from the controller the rectification and/or completion of incorrect or incomplete personal data concerning you. The controller shall make the correction/completion without delay.

3. Right to restriction of processing

Under the following conditions, you have the right to request the restriction of processing of personal data concerning you:

the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;

the processing is unlawful, and you refuse the erasure of the personal data and request the restriction of their use instead;

the controller no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; or

you have objected to processing pursuant to art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override those of you.

Where processing of personal data concerning you has been restricted, such personal data may only be processed – with the exception of storage – with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.

If the processing restriction has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

4.1. Obligation to erase

You have the right to obtain from the controller the erasure of personal data concerning you and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:

the personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;

you withdraw consent on which the processing is based pursuant to art. 6 (1) (a) or art. 9 (2) (a) GDPR, and where there is no other legal basis for the processing;

you file an objection to the processing pursuant to art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you file an objection to the processing pursuant to art. 21 (2) GDPR;

the personal data concerning you has been unlawfully processed ;

the deletion of personal data concerning you is necessary to fulfil a legal obligation in Union or Member State law to which the data controller is subject ;

the personal data concerning you was collected in relation to the offer of information society services referred to in art. 8 (1) GDPR.

4.2. Information to third parties

Where the controller has made the personal data public and is obliged pursuant to art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, the personal data.

4.3. Exceptions

The right to erasure shall not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;

for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller ;

for reasons of public interest in the area of public health in accordance with art. 9 (2) (h) and (i) and art. 9 (3) GDPR;

for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with art. 89 (1) GDPR, insofar as the right referred to in a) is likely to render it impossible or seriously impair the achievement of the objectives of that processing ; or

for the establishment, exercise or defence of legal claims.

5. Right to information

If you have exercised your right of rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to obtain from the controller the information about those recipients.

6. Right to data portability

You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit the data to another controller without hindrance from the controller to which the personal data have been provided, where:

the processing is based on consent pursuant to art. 6 (1) (a) GDPR or art. 9 (2) (a) GDPR or on a contract pursuant to art. 6 (1) (b) GDPR ; and

the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others shall not be affected by this.

The right to data portability shall not apply to processing necessary for the performance of a task carried out of a public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on art. 6 (1) (e) or (f) GDPR, including profiling based on those provisions.

The data controller no longer processes the personal data concerning you, unless he demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related with such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

You have the possibility to exercise your right of object in the context with the use of information society services, and notwithstanding Directive 2002/58/EC, by automated means using technical specifications.

8. Right to withdraw the consent to process personal data

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

is necessary for the conclusion or performance of a contract between you and the controller,

is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

is based on your explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to art. 9 para. 1 GDPR, unless art. 9 para. 2 let. a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

In the cases referred to in points a) and c), the controller implements suitable measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to art. 78 GDPR.

VIII. Amendment of this Privacy Policy

We reserve the right to change this privacy policy at any time without prior notice. We will inform you of any changes by publishing the updated privacy policy on our website. Any changes we make will be effective from the date of publishing on our website.

XI. Validity of Language Version

This agreement is issued and made available to the Parties an English and a German language version [German Version]. In case of conflict between the English and the German language version of this agreement, the provisions of the German language version shall prevail.

X. Representatives of responsible persons or processors not settled in the Union

Our representative in the EU (according to Art. 27 DSGVO) can be reached as follows:

KYC Spider offers all the necessary compliance services relevant not only for finance intermediaries and banks, but also for fintechs and industrial corporations: Embargo, sanctions screening, PEP and crime check and compliance documentation.

You can reach us dring following opening hours:Monday to Friday, 9.00 am - 5.00 pm